https://cerbos.dev logo
Join Slack
Powered by
I have a design question: what kinds of checks sho...
# help
y
I have a design question: what kinds of checks should be done in Cerbos and which checks should be done in app code? For example let's say a "teacher" can make a back-end request to "grade" "homework". For a teacher to do that the following needs to be met: • The user is actually a teacher at all • The teacher is grading within office hours (they cannot grade outside of that) • The teacher is part of staff of the course under which the homework is • The teacher must have downloaded all of homework's files before they're allowed to grade it • The homework was not already graded by another teach BUT if it's the same teacher updating the grade WITHIN 30 minutes of prior grading it's fine that can go through • ... Which of these would be in the request handler function, and which of these would go into Cerbos? Notably a lot of these checks rely on distant data that is potentially not even relevant to the principal/resource
❤️ 1
The example above is hypothetical and not exactly what I am dealing with, but it should get the point across
Like if some checks have to be done in request handler (at least input validation?) they why not slide everything in there too
For a bit of context the backend I work on is microservices one so data may have to be RPC'ed from another service entirely
s
I'll tackle each of the bullet points individually. Acknowledging the scenario is hypothetical, it might still show general strategies and reasoning for when making similar choices. > The user is actually a teacher at all This sounds like a good candidate for a concrete role, e.g. 
TEACHER
. If your roles aren't quite so granular (e.g. 
STAFF
), you can provide this context as a principal attribute 
"teacher" in P.attr.teams
. > The teacher is grading within office hours (they cannot grade outside of that) Something like the following would work (I've arbitrarily passed "GB" as a timezone here, it would be up to you to handle this accordingly). If requests aren't real-time or if you want absolute guarantees over time comparisons, you'd probably pass the client's version of 
now()
rather than relying on the PDPs understanding of it:
Copy code
timestamp(now()).getHours("GB") >= 9 && timestamp(now()).getHours("GB") <= 17
> The teacher is part of staff of the course under which the homework is Something like: 
R.attr.course in P.attr.courses
> The teacher must have downloaded all of homework's files before they're allowed to grade it The PDP is stateless, so you'd need to assert this in your application code or provide all of the necessary context in the request for the PDP to make the decision, e.g.
Copy code
P.attr.assignments_downloaded[R.id] == R.attr.n_candidates
Where 
assignments_downloaded
is a map of resource IDs to the number of unique downloads (maybe not the most elegant approach, but indicative 🙂) > The homework was not already graded by another teach BUT if it's the same teacher updating the grade WITHIN 30 minutes of prior grading it's fine that can go through Similarly, the statelessness of the PDP require some level of inference here from your application, specifically with regards to determining previous access. So if done in the PDP, you'd need to pass required context in the request. This particular case might be better off at the app level, but again, it depends!
y
Hmm, I see! So the thing I can notice here is that for the most part it's ensuring 
P
and 
R
have enough relationships preloaded in them for Cerbos to make a decision
👍 1
When I wrote my question I thought most of these were going to be in app code but I see that this is not necessarily the case 🙂 Thanks for the insights!
🙌 1
2 Views
Open in Slack
PreviousNext
Powered by